How to find root owned world writable files?

pinga123 · 10-11-2010, 06:27 AM

Being a system administrator i came across a statement as " Excluding temporary directories /tmp and /var/tmp, no root owned files should be in world writable directories"

While the above statement may look straight forward but how would i check if there are any such directories in the distribution?

acid_kewpie · 10-11-2010, 06:39 AM

Code:

find / -owner root -perm /o=w

should cover it i think.

pinga123 · 10-11-2010, 06:59 AM

Quote:

Originally Posted by acid_kewpie

Code:

find / -owner root -perm /o=w

should cover it i think.

I think this will be more appropriate .

Correct me if i m wrong.

Code:

# find / -type d -user root -perm /o=w

angel115 · 10-11-2010, 07:21 AM

~~mistake~~

acid_kewpie · 10-11-2010, 07:22 AM

certainly it's -user, not -owner. doh.

GrapefruiTgirl · 10-11-2010, 07:39 AM

So, I'm still missing something here. Won't the solution(s) offered, identify root-owned other-writeable directories, but not check whether there's any root-owned files in there (and if there aren't, then the directory should be filtered out of the results, no?)?

acid_kewpie · 10-11-2010, 07:46 AM

Quote:

Originally Posted by GrapefruiTgirl

So, I'm still missing something here. Won't the solution(s) offered, identify root-owned other-writeable directories, but not check whether there's any root-owned files in there (and if there aren't, then the directory should be filtered out of the results, no?)?

-d is short for "da files"

grail · 10-11-2010, 07:53 AM

Well your query says root owned 'files' not directories so '-type d' would be incorrect.
I believe you would need to pipe food into a while loop and check if directory had the correct perms.

Something like:

Code:

while read -r test_file
do
    [[ $(stat -c%A "$test_file") =~ .w.$ ]] && echo "${test_file%/*}"
done< <(find -type f -user root)

Edit: Forgot to print the right thing ... oops

acid_kewpie · 10-11-2010, 08:00 AM

Quote:

Originally Posted by grail

Well your query says root owned 'files' not directories so '-type d' would be incorrect.
I believe you would need to pipe food into a while loop and check if directory had the correct perms.

Something like:

Code:

while read -r test_file
do
    [[ $(stat -c%A "$test_file") =~ .w.$ ]] && echo "$test_file"
done< <(find -type f -user root)

Why do I keep misreading things? Yes, you would have a two stage thing here as find doesn't keep any context in terms of what files are in what directories. So you'd need to find the directories and then see if in that directory there are any files owned by root.

GrapefruiTgirl · 10-11-2010, 08:33 AM

Thanks grail & Chris - that clears things up!

grail, I had been working on something similar to what you've got there, but yours looks better.

grail · 10-11-2010, 08:35 AM

thanks

pinga123 · 10-11-2010, 11:28 PM

Quote:

Originally Posted by grail

thanks

Its seems i have thousands of files lying there .
Not sure about whatever i did is correct.Here listing the things i did.

I have created a bash script named tempprogram.sh

place it under / directory.

executed.

content:

Code:

# cat testprogram.sh
#!/bin/bash

while read -r test_file
do
    [[ $(stat -c%A "$test_file") =~ .w.$ ]] && echo "${test_file%/*}"
done< <(find -type f -user root)

Output

only some part of output is pasted as its too much to post.

Code:

./proc/5834/task/5834/attr
./proc/5834/task/5834/attr
./proc/5834/task/5834/attr
./proc/5834/task/5834/attr
./proc/5834/task/5834/attr
./proc/5834/task/5855/attr
./proc/5834/task/5855/attr
./proc/5834/task/5855/attr
./proc/5834/task/5855/attr
./proc/5834/task/5855/attr
./proc/5834/attr
./proc/5834/attr
./proc/5834/attr
./proc/5834/attr
./proc/5834/attr
./proc/5999/task/5999/attr
./proc/5999/task/5999/attr
./proc/5999/task/5999/attr
./proc/5999/task/5999/attr
./proc/5999/task/5999/attr
./proc/5999/task/6007/attr
./proc/5999/task/6007/attr
./proc/5999/task/6007/attr
./proc/5999/task/6007/attr
./proc/5999/task/6007/attr
./proc/5999/task/6382/attr
./proc/5999/task/6382/attr
./proc/5999/task/6382/attr
./proc/5999/task/6382/attr
./proc/5999/task/6382/attr
./proc/5999/attr
./proc/5999/attr
./proc/5999/attr
./proc/5999/attr
./proc/5999/attr
./proc/6001/task/6001/attr
./proc/6001/task/6001/attr
./proc/6001/task/6001/attr
./proc/6001/task/6001/attr
./proc/6001/task/6001/attr
./proc/6001/attr
./proc/6001/attr
./proc/6001/attr
./proc/6001/attr
./proc/6001/attr
./proc/6028/task/6028/attr
./proc/6028/task/6028/attr
./proc/6028/task/6028/attr

Please guide me on next course of action.

grail · 10-12-2010, 12:20 AM

Just noticed that we are also stating the file and not the directory ... my bad.
Change the following:

Code:

$(stat -c%A "$test_file")

# to

$(stat -c%A "${test_file%/*}")

Now we will be testing if the directory is writable and not the file

chrism01 · 10-12-2010, 01:21 AM

@pinga123: /proc is a window into the kernel; ignore that dir

pinga123 · 10-12-2010, 11:26 PM

Please find the modified code but even this seems to generate lot of output entries i guess they and in lacks.
Please help.

Quote:

# cat testprogram.sh
#!/bin/bash

while read -r test_file
do
[[ $(stat -c%A "${test_file%/*}") ]] && echo "${test_file%/*}"
done< <(find -type f -user root)